diff options
| author | srdusr <trevorgray@srdusr.com> | 2024-06-06 22:47:44 +0200 |
|---|---|---|
| committer | srdusr <trevorgray@srdusr.com> | 2024-06-06 22:47:44 +0200 |
| commit | b1f74e6c6b678b46b99902fe37e991897721c0c3 (patch) | |
| tree | 4e0bd86b03e65aef6055fa81aa84daf4686dd124 /.config/powershell/bloatware.ps1 | |
| parent | f9465476c9c5f570d1e0695002c79e7759c69fc8 (diff) | |
| download | dotfiles-b1f74e6c6b678b46b99902fe37e991897721c0c3.tar.gz dotfiles-b1f74e6c6b678b46b99902fe37e991897721c0c3.zip | |
Testing
Diffstat (limited to '.config/powershell/bloatware.ps1')
| -rw-r--r-- | .config/powershell/bloatware.ps1 | 118 |
1 files changed, 108 insertions, 10 deletions
diff --git a/.config/powershell/bloatware.ps1 b/.config/powershell/bloatware.ps1 index 0e66609..6b899c2 100644 --- a/.config/powershell/bloatware.ps1 +++ b/.config/powershell/bloatware.ps1 @@ -1,7 +1,5 @@ # bloatware.ps1 -. $HOME\.config\powershell\ownership.ps1 - # Check if Registry key exists function Check-RegistryKeyExists { param( @@ -26,6 +24,114 @@ function force-mkdir($path) { } } +function Takeown-Registry($key) { + # TODO does not work for all root keys yet + switch ($key.split('\')[0]) { + "HKEY_CLASSES_ROOT" { + $reg = [Microsoft.Win32.Registry]::ClassesRoot + $key = $key.substring(18) + } + "HKEY_CURRENT_USER" { + $reg = [Microsoft.Win32.Registry]::CurrentUser + $key = $key.substring(18) + } + "HKEY_LOCAL_MACHINE" { + $reg = [Microsoft.Win32.Registry]::LocalMachine + $key = $key.substring(19) + } + } + + # get administrator group + $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") + $admins = $admins.Translate([System.Security.Principal.NTAccount]) + + # set owner + $key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership") + $acl = $key.GetAccessControl() + $acl.SetOwner($admins) + $key.SetAccessControl($acl) + + # set FullControl + $acl = $key.GetAccessControl() + $rule = New-Object System.Security.AccessControl.RegistryAccessRule($admins, "FullControl", "Allow") + $acl.SetAccessRule($rule) + $key.SetAccessControl($acl) +} + +function Takeown-File($path) { + takeown.exe /A /F $path + $acl = Get-Acl $path + + # get administrator group + $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") + $admins = $admins.Translate([System.Security.Principal.NTAccount]) + + # add NT Authority\SYSTEM + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($admins, "FullControl", "None", "None", "Allow") + $acl.AddAccessRule($rule) + + Set-Acl -Path $path -AclObject $acl +} + +function Takeown-Folder($path) { + Takeown-File $path + foreach ($item in Get-ChildItem $path) { + if (Test-Path $item -PathType Container) { + Takeown-Folder $item.FullName + } + else { + Takeown-File $item.FullName + } + } +} + +function Elevate-Privileges { + param($Privilege) + $Definition = @" + using System; + using System.Runtime.InteropServices; + + public class AdjPriv { + [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] + internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele); + + [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] + internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); + + [DllImport("advapi32.dll", SetLastError = true)] + internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); + + [StructLayout(LayoutKind.Sequential, Pack = 1)] + internal struct TokPriv1Luid { + public int Count; + public long Luid; + public int Attr; + } + + internal const int SE_PRIVILEGE_ENABLED = 0x00000002; + internal const int TOKEN_QUERY = 0x00000008; + internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; + + public static bool EnablePrivilege(long processHandle, string privilege) { + bool retVal; + TokPriv1Luid tp; + IntPtr hproc = new IntPtr(processHandle); + IntPtr htok = IntPtr.Zero; + retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); + tp.Count = 1; + tp.Luid = 0; + tp.Attr = SE_PRIVILEGE_ENABLED; + retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); + retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); + return retVal; + } + } +"@ + $ProcessHandle = (Get-Process -id $pid).Handle + $type = Add-Type $definition -PassThru + $type[0]::EnablePrivilege($processHandle, $Privilege) +} + $bloatware = @( #"Anytime" "BioEnrollment" @@ -179,14 +285,6 @@ Start-Sleep 10 Write-Output "Removing additional OneDrive leftovers" foreach ($item in (Get-ChildItem "$env:WinDir\WinSxS\*onedrive*")) { Takeown-Folder $item.FullName - - # Grant full control to administrators - $acl = Get-Acl $item.FullName - $ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "Allow") - $acl.SetAccessRule($ar) - Set-Acl $item.FullName $acl - - # Remove the item Remove-Item -Recurse -Force $item.FullName } |